What A Former Pro Hacker & FBI Informant Taught Me About iPhone Security

Before 2012, Hector Monsegur was an underground internet celebrity. Known by his online avatar, Sabu, Monsegur led the hacking group Lulzsec, an offshoot of the notorious hacktivist group Anonymous.

According to The New York Times, the self-taught hacker participated in attacks on companies including PayPal and Sony, as well ones against government agencies in Tunisia, Algeria, and Yemen. After he was caught and arrested in 2011, Monsegur maintained his persona and worked undercover as an FBI informant, preventing potential attacks and helping the FBI catch other infamous hackers.

Nowadays, Monsegur's old Twitter handle is retired and he's no longer anonymous. He's still using everything he learned as a hacker, but this time — he's on the law's good side. As the director of assessment services at Rhino Security Labs, Monsegur executes phishing attacks to find companies' security flaws and help them address vulnerabilities.

Monsegur was recently on Outlaw Tech, a Science Channel series that looked at how tech is helping both criminals and law enforcement agencies carry out next-level operations. The series' timing could not be more relevant: Cybersecurity has been newsworthy in recent months, as a result of the scarily successful Google Docs phishing scam and global ransomware hack.

When I met Monsegur at Refinery29's offices in early May, he smelled strongly of cigarette smoke, walked with a slight hunch to his linebacker frame, and was more soft-spoken than I expected for a man who ran a famous hacking group. I had asked him to meet up so he could school me on everything that can make the average iPhone user vulnerable to attack.

Ahead, the key takeaways from the ex-hacker and former FBI informant turned security do-gooder.

If you do one thing, go to your iPhone's Settings > General > Software Update, and make sure that you are running the latest version of iOS (right now, it's 10.3.2). Monsegur explained that these updates are there for a reason — to patch up any vulnerabilities that might have discovered in the current Apple operating system.

To see if any exploits had been found for the latest iOS at the time of our interview, iOS 10.3.1, Monsegur did a quick Google search for "iOS 10.3.1 jailbreak." When people jailbreak a phone, they strip it of many of the security assets that Apple has provided.

"If someone was trying to get information from you, or they wanted to infect your phone so they could steal information, intercept your phone calls, check your emails — stuff like that, then the fact that there's a jailbreak available for it, means that there's an exploit," he said.

That's why it's especially important to take the few minutes to power down and update your phone when a new version of iOS is available.

"You know, a lot of people are saying [you need to enable two-factor authentication], but the truth is a lot of people are not listening," Monsegur told me. "They hear it, but they're not doing anything about it."

Now's the time to do something about it. Most major apps and accounts, including Instagram and Facebook, offer two-factor authentication, which gives you an extra layer of security by asking for a trusted phone number. Say, for example, that someone knows your Gmail password and is trying to reset it so that they can gain control of your account. If you have two-factor authentication enabled, you'll get a text to verify this change. Unless the hacker has your phone, too, they'll be stopped in their tracks.

Which brings me to another of Monsegur's points...

If your phone does get stolen and you have lock screen notifications turned on, the hacker has access to any two-factor authentication texts that you receive.

"That's a major security problem," Monsegur said. "I always advise people to disable [lock screen notifications]. You don't need text messages to pop up. It just takes a second to look at the message."

To turn them off, go to Settings > Notifications. You'll need to go app by app to disable lock screen notifications for each, but to stay secure, it's worth your time.

Monsegur tries to avoid sending any regular text messages or emails, because they aren't encrypted. Obviously, for most of us who aren't former FBI informants working in the security business, this isn't very realistic — we're going to text. That isn't a problem if you're just chatting with a friend about the latest Bachelorette episode, but it is a problem if you text someone your social security number or HBO log-in credentials.

Instead, Monsegur prefers Signal, a free messaging app with complete end-to-end encryption. "The cool thing is it also has an audio and a video feature, so you can have a fully end-to-end encrypted chat or encrypted messaging or video chat, and there's nobody in the world that's going to look at it," he said. "They can't, because they can't even intercept it."

The worst case scenario, Monsegur said, is that someone would see traffic on the network — so, they might see that you're sending a text message — but they would never know anything about the contents of that message.

The only downside is that the person you're texting with also needs to have Signal. Otherwise, your text would show up as "a bunch of garbage," Monsegur said. But if you're just sending a few texts that you want to keep extra secure, ask the recipient to download the app.

Whenever you receive an email, like the one sent in the Google Docs scam, that asks you to authorize access to any of your accounts, double check with the sender to make sure it's legitimate.

You hear warnings about phishing emails that ask you to download a document or click a link, but this type of scam is different. In the case of the Google Docs hack, every user who clicked to "allow" access sent the scam on to their address book (what's known as a worm), causing it to spread especially fast.

"Hijacking authorization is such a new topic," Monsegur said. "This isn't the first time you're going to see it. The Google Docs scam was a proof of concept, an experiment. Something way bigger is going to come through."

So, if you want to protect your phone and all of your accounts, never grant authorization via email.

At the end of the day, Monsegur thinks that the best thing anyone can do to keep their phone secure is to stay vigilant. Think twice before clicking any link or sending sensitive information, and turn off any notifications that you don't absolutely need showing up on your lock screen. As annoying as it can be to power down and download a new iOS update, keep in mind that there's a reason that update is there.